Dark ReadingArchived May 28, 2026✓ Full text saved
Dutch law enforcement seized 800 servers and arrested two operators of THE.Hosting but left the hosting provider's core IP address space intact.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBER RISK
CYBERATTACKS & DATA BREACHES
THREAT INTELLIGENCE
NEWS
Dutch Raid Fails to Dent Russian Bulletproof Host
Dutch law enforcement seized 800 servers and arrested two operators of THE.Hosting but left the hosting provider's core IP address space intact.
Jai Vijayan,Contributing Writer
May 28, 2026
4 Min Read
SOURCE: VIKTOLLIO VIA SHUTTERSTOCK
A recent Dutch law enforcement operation to dismantle a bulletproof hosting network appears to have done little to disrupt its ongoing malicious activity, highlighting the resilience of modern cybercriminal infrastructure against takedown efforts.
On May 18, the Netherlands Ministry of Finance's fiscal crime service (FIOD) seized more than 800 servers and arrested two people connected to THE.Hosting, a network tied to Russian cybercrime and influence operations in the European Union.
THE.Hosting Scanning Activity Continues Unabated
But more than a week later, scanning activity from the network has remained at almost the same levels as before, according to researchers at Prague-based threat intelligence firm ELLIO.
"The traffic is broad, opportunistic attack and botnet-building," ELLIO said in a report this week. "It recruits Internet-of-Things devices into botnets, drops cryptominers and self-replicating bots, steals cloud credentials, exploits exposed web applications, and abuses proxy capacity to attack third parties."
Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security
THE.Hosting is the latest incarnation of a bulletproof hosting network that researchers trace back to infrastructure originally controlled by a Russian individual registrant in 2022. Shortly after Russia invaded Ukraine in February 2022, the individual transferred the network's autonomous system number (ASN), AS44477, to a newly incorporated company called Stark Industries Solution. An ASN is a number assigned to a network's block of IP addresses that tells the rest of the Internet how to route traffic to and from those addresses.
When the EU sanctioned Stark Industries in 2025, the operators transferred AS44477 to another newly created entity called PQ Hosting Plus S.R.L. They later rebranded it yet again, to THE.Hosting, and moved operations to a new network, AS209847, under a Dutch company called WorkTitans B.V. The net effect of all the maneuvering was having a Russian bulletproof hosting network sitting inside EU data centers with traffic reaching the Internet from a legitimate Dutch company rather than Russian, ELLIO said.
"The company history reads like a relay race run to stay ahead of sanctions," the threat intelligence firm said in an accompanying blog post. "In our honeypot telemetry, this corporate relay shows up cleanly as a migration across autonomous systems, the numbered networks that announce IP address space to the internet."
The old Stark/PQ network drove the scanning through the summer of 2025, according to ELLIO, and "threw one last enormous punch" on Aug. 30. After it faded, THE.Hosting suddenly ramped up in its place, generating more two million scanning sessions per month in November and December 2025.
Related:Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks
A Resilient and Resourceful Adversary
A bulletproof hosting (BPH) service knowingly provides its infrastructure for cybercriminals, ransomware operators and other threat actors. The services typically operate across multiple jurisdictions, ignore abuse complaints, and don't cooperate with law enforcement, making it difficult for authorities to take action against the criminals renting their infrastructure. Cybercriminals use such services to host malware, run botnets, distribute spam, and conduct cyberattacks while avoiding take down efforts.
According to ELLIO, threat actors using the old Stark/PQ network were mainly focused on finding systems with weak or default passwords across services like web servers, SSH access, FTP file transfer, and Windows file shares.
The scanning activity associated with THE.Hosting's is broader and more concerning because it involves databases and industrial control systems (ICS). ELLIO researchers said they observed probes for exposed MongoDB, Redis, PostgreSQL, and Oracle databases alongside scans for DNP3 and EtherNet/IP, which are protocols commonly associated with power grids, water systems, and other industrial facilities.
Related:Content Delivery Exploit Opens Websites to Brand Hijacking
Vlad Iliushin, CEO of ELLIO, says the operators of Stark Industries, PQ Hosting and THE.Hosting have been publicly tied to repeated distributed denial-of-service (DDoS) attacks on European critical infrastructure. They have also been linked to disinformation campaigns, including activity attributed to the pro-Russian group NoName057(16) and the attacks on Danish government systems during the November 2025 elections.
Iliushin points to two reasons why the recent Dutch law enforcement operation has had little effect on THE.Hosting. First, taking physical servers off the rack doesn't take away the address space those servers were using, he says.
"The blocks are still allocated to the operator by the Regional Internet Registry for Europe, [are] still announced via BGP, and as soon as the operator puts new hardware behind those addresses in another data center, in another country, the scanning resumes," Iliushin says, adding that Dutch authorities seized things they could legally seize but there was no BGP blackholing, he says.
The other reason is that THE.Hosting's address blocks, registered under the Dutch firm WorkTitans B.V., are geolocated across the Netherlands, the United States, Germany, Finland, Turkey, the UK, France, Moldova, Poland, Kazakhstan, Czechia and Latvia. "So, the scans we observe are originating from the address blocks assigned to AS209847 but are not necessarily coming from the Netherlands," he says.
The best-case scenario for taking down an operation like THE.Hosting would be collaboration between law enforcement agencies across the European Union and US and to blackhole all address spaces belonging to AS209847, Iliushin notes.
"The FIOD raided servers in Dutch data centers, which means the infrastructure hosted by THE.Hosting and its customers in the Netherlands was affected," he says. "[But] just like legitimate hosting providers, THE.Hosting is reselling VPS in multiple countries, not only in the Netherlands. Infrastructure hosted in other countries is unaffected."
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
CYBER RISK
How Can CISOs Respond to Ransomware Getting More Violent?
by James Doggett
JAN 28, 2026
CYBER RISK
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
by Alexander Culafi
JAN 05, 2026
CYBER RISK
Switching to Offense: US Makes Cyber Strategy Changes
by Robert Lemos, Contributing Writer
NOV 21, 2025
CYBER RISK
Microsoft Exchange 'Under Imminent Threat,' Act Now
by Arielle Waldman
NOV 12, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS